NAME

DESCRIPTION

FILEFORMAT

The file consists of comments and options with arguments. Each line
which starts with a hash (#) symbol is ignored by the parser. Options
and arguments are case sensitive and of the form OptionArgument. The
arguments are of the following types:
BOOL Boolean value (yes/no or true/false or 1/0).
STRING String without blank characters.
SIZE Size in bytes. You can use 'M' or 'm' modifiers for megabytes
and 'K' or 'k' for kilobytes.
NUMBER Unsigned integer.

DIRECTIVES

When some option is not used (commented out or not included in the
configuration file at all) clamd takes a default action.
Example
If this option is set clamd will not run.
LogFileSTRING
Enable logging to selected file.
Default: no
LogFileUnlockBOOL
Disable a system lock that protects against running clamd with
the same configuration file multiple times.
Default: no
LogFileMaxSizeSIZE
Limit the size of the log file. The logger will be automatically
disabled if the file is greater than SIZE. Value of 0 disables
the limit.
Default: 1M
LogTimeBOOL
Log time for each message.
Default: no
LogCleanBOOL
Log clean files.
Default: no
LogSyslogBOOL
Use system logger (can work together with LogFile).
Default: no
LogFacilitySTRING
Specify the type of syslog messages - please refer to 'man
syslog' for facility names.
Default: LOG_LOCAL6
LogVerboseBOOL
Enable verbose logging.
Default: no
ExtendedDetectionInfoBOOL
Log additional information about the infected file, such as its
size and hash, together with the virus name.
Default: no
PidFileSTRING
Save the process identifier of a listening daemon (main thread)
to a specified file.
Default: no
TemporaryDirectorySTRING
Optional path to the global temporary directory.
Default: system specific (usually /tmp or /var/tmp).
DatabaseDirectorySTRING
Path to a directory containing database files.
OfficialDatabaseOnlyBOOL
Only load the official signatures published by the ClamAV
project.
Default: no
LocalSocketSTRING
Path to a local (Unix) socket the daemon will listen on.
Default: no
LocalSocketGroupSTRING
Sets the group ownership on the unix socket.
Default: the primary group of the user running clamd
LocalSocketModeSTRING
Sets the permissions on the unix socket to the specified mode.
Default: socket is world readable and writable
FixStaleSocketBOOL
Remove stale socket after unclean shutdown.
Default: yes
TCPSocketNUMBER
TCP port number the daemon will listen on.
Default: no
TCPAddrSTRING
TCP socket address to bind to. By default clamd binds to
INADDR_ANY.
Default: no
MaxConnectionQueueLengthNUMBER
Maximum length the queue of pending connections may grow to.
Default: 200
MaxThreadsNUMBER
Maximum number of threads running at the same time.
Default: 10
ReadTimeoutNUMBER
Waiting for data from a client socket will timeout after this
time (seconds).
Default: 120
CommandReadTimeoutNUMBER
This option specifies the time (in seconds) after which clamd
should timeout if a client doesn't provide any initial command
after connecting. Note: the timeout for subsequents commands,
and/or data chunks is specified by ReadTimeout.
Default: 5
SendBufTimeoutNUMBER
This option specifies how long to wait (in milliseconds) if the
send buffer is full. Keep this value low to prevent clamd
hanging.
Default: 500
MaxQueueNUMBER
Maximum number of queued items (including those being processed
by MaxThreads threads). It is recommended to have this value at
least twice MaxThreads if possible.
WARNING:youshouldn'tincreasethistoomuchtoavoidrunningoutoffiledescriptors,thefollowingconditionshouldhold:MaxThreads*MaxRecursion+MaxQueue-MaxThreads+6<RLIMIT_NOFILE. RLIMIT_NOFILE is the maximum number of open file
descriptors (usually 1024), set by ulimit-n.
Default: 100
IdleTimeoutNUMBER
Waiting for a new job will timeout after this time (seconds).
Default: 30
ExcludePathREGEX
Don't scan files and directories matching REGEX. This directive
can be used multiple times.
Default: scan all
MaxDirectoryRecursionNUMBER
Maximum depth directories are scanned at.
Default: 15
FollowDirectorySymlinksBOOL
Follow directory symlinks.
Default: no
CrossFilesystemsBOOL
Scan files and directories on other filesystems.
Default: yes
FollowFileSymlinksBOOL
Follow regular file symlinks.
Default: no
SelfCheckNUMBER
Perform a database check.
Default: 1800
VirusEventCOMMAND
Execute COMMAND when a virus is found. In the command string %v
will be replaced with the virus name.
Default: no
ExitOnOOMBOOL
Stop daemon when libclamav reports out of memory condition.
Default: no
UserSTRING
Run as another user (clamd must be started by root to make this
option working).
Default: no
AllowSupplementaryGroupsBOOL
Initialize supplementary group access (clamd must be started by
root).
Default: no
ForegroundBOOL
Don't fork into background.
Default: no
DebugBOOL
Enable debug messages from libclamav.
LeaveTemporaryFilesBOOL
Do not remove temporary files (for debug purpose).
Default: no
StreamMaxLengthSIZE
Clamd uses FTP-like protocol to receive data from remote
clients. If you are using clamav-milter to balance load between
remote clamd daemons on firewall servers you may need to tune
the Stream* options. This option allows you to specify the upper
limit for data size that will be transfered to remote daemon
when scanning a single file. It should match your MTA's limit
for a maximum attachment size.
Default: 10M
StreamMinPortNUMBER
Limit data port range.
Default: 1024
StreamMaxPortNUMBER
Limit data port range.
Default: 2048
BytecodeBOOL
With this option enabled ClamAV will load bytecode from the
database. It is highly recommended you keep this option turned
on, otherwise you may miss detections for many new viruses.
Default: yes
BytecodeSecuritySTRING
Set bytecode security level. Possible values: TrustSigned: trust
bytecode loaded from signed .c[lv]d files and insert runtime
safety checks for bytecode loaded from other sources, Paranoid:
don't trust any bytecode, insert runtime checks for all. The
recommended setting is TrustSigned, because bytecode in .cvd
files already has safety checks inserted into it.
Default: TrustSigned
BytecodeUnsignedBOOL
Allow loading bytecode from outside digitally signed .c[lv]d
files.
Default: no
BytecodeTimeoutNUMBER
Set bytecode timeout in milliseconds.
Default: 5000
DetectPUABOOL
Detect Possibly Unwanted Applications.
Default: No
ExcludePUACATEGORY
Exclude a specific PUA category. This directive can be used
multiple times. See http://www.clamav.net/support/pua for the
complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
IncludePUACATEGORY
Only include a specific PUA category. This directive can be used
multiple times. See http://www.clamav.net/support/pua for the
complete list of PUA categories.
Default: Load all categories (if DetectPUA is activated)
AlgorithmicDetectionBOOL
In some cases (eg. complex malware, exploits in graphic files,
and others), ClamAV uses special algorithms to provide accurate
detection. This option controls the algorithmic detection.
Default: yes
ScanPEBOOL
PE stands for Portable Executable - it's an executable file
format used in all 32 and 64-bit versions of Windows operating
systems. This option allows ClamAV to perform a deeper analysis
of executable files and it's also required for decompression of
popular executable packers such as UPX.
Default: yes
ScanELFBOOL
Executable and Linking Format is a standard format for UN*X
executables. This option allows you to control the scanning of
ELF files.
Default: yes
DetectBrokenExecutablesBOOL
With this option clamd will try to detect broken executables
(both PE and ELF) and mark them as Broken.Executable.
Default: no
ScanOLE2BOOL
This option enables scanning of OLE2 files, such as Microsoft
Office documents and .msi files.
Default: yes
OLE2BlockMacrosBOOL
With this option enabled OLE2 files with VBA macros, which were
not detected by signatures will be marked as
"Heuristics.OLE2.ContainsMacros".
Default: no
ScanPDFBOOL
This option enables scanning within PDF files.
Default: yes
ScanHTMLBOOL
Enables HTML detection and normalisation.
Default: yes
ScanMailBOOL
Enable scanning of mail files.
Default: yes
ScanPartialMessagesBOOL
Scan RFC1341 messages split over many emails. You will need to
periodically clean up $TemporaryDirectory/clamav-partial
directory. WARNING:ThisoptionmayopenyoursystemtoaDoSattack.Neveruseitonloadedservers.
Default: no
MailMaxRecursionNUMBER(OBSOLETE)WARNING: This option is no longer accepted. See MaxRecursion.
PhishingSignaturesBOOL
With this option enabled ClamAV will try to detect phishing
attempts by using signatures.
Default: yes
PhishingScanURLsBOOL
Scan URLs found in mails for phishing attempts using heuristics.
This will classify "Possibly Unwanted" phishing emails as
Phishing.Heuristics.Email.*
Default: yes
PhishingAlwaysBlockSSLMismatchBOOL
Always block SSL mismatches in URLs, even if the URL isn't in
the database. This can lead to false positives.
Default: no
PhishingAlwaysBlockCloakBOOL
Always block cloaked URLs, even if URL isn't in database. This
can lead to false positives.
Default: no
HeuristicScanPrecedenceBOOL
Allow heuristic match to take precedence. When enabled, if a
heuristic scan (such as phishingScan) detects a possible
virus/phishing it will stop scanning immediately. Recommended,
saves CPU scan-time. When disabled, virus/phishing detected by
heuristic scans will be reported only at the end of a scan. If
an archive contains both a heuristically detected
virus/phishing, and a real malware, the real malware will be
reported. Keep this disabled if you intend to handle
"*.Heuristics.*" viruses differently from "real" malware. If a
non-heuristically-detected virus (signature-based) is found
first, the scan is interrupted immediately, regardless of this
config option.
Default: no
StructuredDataDetectionBOOL
Enable the DLP module.
Default: no
StructuredMinCreditCardCountNUMBER
This option sets the lowest number of Credit Card numbers found
in a file to generate a detect.
Default: 3
StructuredMinSSNCountNUMBER
This option sets the lowest number of Social Security Numbers
found in a file to generate a detect.
Default: 3
StructuredSSNFormatNormalBOOL
With this option enabled the DLP module will search for valid
SSNs formatted as xxx-yy-zzzz.
Default: Yes
StructuredSSNFormatStrippedBOOL
With this option enabled the DLP module will search for valid
SSNs formatted as xxxyyzzzz.
Default: No
ScanArchiveBOOL
Enable archive scanning.
Default: yes
ArchiveMaxFileSize(OBSOLETE)WARNING: This option is no longer accepted. See MaxFileSize and
MaxScanSize.
ArchiveMaxRecursion(OBSOLETE)WARNING: This option is no longer accepted. See MaxRecursion.
ArchiveMaxFiles(OBSOLETE)WARNING: This option is no longer accepted. See MaxFiles.
ArchiveMaxCompressionRatio(OBSOLETE)WARNING: This option is no longer accepted.
ArchiveBlockMax(OBSOLETE)WARNING: This option is no longer accepted.
ArchiveLimitMemoryUsage(OBSOLETE)WARNING: This option is no longer accepted.
Default: no
ArchiveBlockEncryptedBOOL
Mark encrypted archives as viruses (Encrypted.Zip,
Encrypted.RAR).
Default: no
MaxScanSizeSIZE
Sets the maximum amount of data to be scanned for each input
file. Archives and other containers are recursively extracted
and scanned up to this value. Warning:disablingthislimitorsettingittoohighmayresultinseveredamagetothesystem.
Default: 100M
MaxFileSizeSIZE
Files larger than this limit won't be scanned. Affects the input
file itself as well as files contained inside it (when the input
file is an archive, a document or some other kind of container).
Warning:disablingthislimitorsettingittoohighmayresultinseveredamagetothesystem.
Default: 25M
MaxRecursionNUMBER
Nested archives are scanned recursively, e.g. if a Zip archive
contains a RAR file, all files within it will also be scanned.
This options specifies how deeply the process should be
continued. Warning:settingthislimittoohighmayresultinseveredamagetothesystem.
Default: 16
MaxFilesNUMBER
Number of files to be scanned within an archive, a document, or
any other kind of container. Warning:disablingthislimitorsettingittoohighmayresultinseveredamagetothesystem.
Default: 10000
ClamukoScanOnAccessBOOL
Enable Clamuko. Dazuko (/dev/dazuko) must be configured and
running.
Default: no
ClamukoScannerCountNUMBER
The number of scanner threads that will be started (DazukoFS
only). Having multiple scanner threads allows Clamuko to serve
multiple processes simultaneously. This is particularly
beneficial on SMP machines.
Default: 3
ClamukoScanOnOpenBOOL
Scan files on open.
Default: no
ClamukoScanOnCloseBOOL
Scan files on close.
Default: no.
ClamukoScanOnExecBOOL
Scan files on execute.
Default: no
ClamukoIncludePathSTRING
Set the include paths (all files and directories inside them
will be scanned). You can have multiple ClamukoIncludePath
directives but each directory must be added in a separate line).
Default: no
ClamukoExcludePathSTRING
Set the exclude paths. All subdirectories will also be excluded.
Default: no ClamukoExcludeUIDNUMBER With this option you can
whitelist specific UIDs. Processes with these UIDs will be able
to access all files. This option can be used multiple times (one
per line).
Default: no
ClamukoMaxFileSizeSIZE
Ignore files larger than SIZE.
Default: 5M

NOTES

All options expressing a size are limited to max 4GB. Values in excess
will be resetted to the maximum.